CVE-2026-48190
Received Received - Intake
Incorrect Permission Handling in OTRS External Interface

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: OTRS AG

Description
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-01
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-48190
EUVD
EUVD-2026-33550
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
otrs otrs 7.0
otrs otrs 8.0
otrs otrs 2023
otrs otrs 2024
otrs otrs 2025
otrs otrs to 2026.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is caused by incorrect handling of permissions in the OTRS External Interface and the ConfigItem List module. It allows an authenticated customer to query the system for Configuration Item (CI) information. For this vulnerability to be exploitable, the Configuration Management Database (CMDB) must be enabled and CustomerGroupSupport must be used.


How can this vulnerability impact me? :

The impact of this vulnerability is that an authenticated customer could gain unauthorized access to CI information within the system. This could lead to information disclosure, potentially exposing sensitive configuration details that should be restricted.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart